Boolean Functions and Boolean Maps Klaus Pommerening Fachbereich Physik, Mathematik, Informatik der Johannes-Gutenberg-Universit¨at Saarstraße 21 D-55099 Mainz February 2, 2003—English version August 30, 2003 last change February 21, 2015

1

Elementary Operations on Bits

On the lowest software level computers process bits or groups of bits. Examples of such groups are bytes that usually consist of 8 bits, or “words”, usually 32 or 64 bits, depending on the processor architecture. Bits have a logical interpretation as truth values “true” (T) or “false” (F). They also have an algebraic interpretation as values 0 (corresponding to F) or 1 (corresponding to T). As mathematical objects they are elements of the two element set {0, 1}, denoted by F2 . This notation comes from the algebraic context: Consider the residue class ring of Z modulo 2. This ring has two elements and is a field since 2 is a prime number. Addition in this field is the same as the logical operation XOR, multiplication is the same as the logical operation AND, see Table 1. The algebraic structure as field is of fundamental importance in Cryptography. Therefore, as usual in Algebra, we use the notation Fq for finite fields where q is the number of elements (often also written as GF(q) for “Galois Field”). In this context we also use the algebraic symbols + (for XOR), and · (for AND) for the operations, and often omit the multiplication dot. Cryptographers sometimes like to use the symbols ⊕ and ⊗ that unfortunately have a quite different meaning in Mathematics (direct sum or tensor product of vector spaces). We use these circled symbols only in diagrams.

2

Description of Boolean Functions

Let’s start with the naive definition: A Boolean function is a rule (or a formula or an algorithm) that takes a certain number of bits and produces 1

K. Pommerening, Boolean Functions and Boolean Maps

bits x y F F F T T F T T

logical operation OR AND XOR F F F T F T T F T T T F

2

algebraic bits operation x y + · 0 0 0 0 0 1 1 0 1 0 1 0 1 1 0 1

Table 1: The elementary operations on bits a new bit. Before making this definition mathematically precise we try to depict it in an appealing manner. A first simple example is the function AND: It takes two bits and produces a new bit by the logical operation AND, see Table 1. For a slightly more complicated example we consider the function f0 that takes three bits x1 , x2 und x3 and produces the value (1)

f0 (x1 , x2 , x3 ) = x1 AND (x2 OR x3 ). An illustration of an (abstract) Boolean function is a “black box”: n input bits ... XgXXXXXXXXXX output bit

What happens inside this “black box” has different specifications: • mathematically by a formula, • informatically by an algorithm, • technically by a circuit (or plugging diagramm), • pragmatically by a truth table (the value table of the function). For the sample function f0 the formula is in the definition (1). The algorithm likewise is conveniently described by this formula because it has no branch points or conditional instructions. A visualization of f0 as a circuit is in Figure 1. The truth table simply lists the values of f0 for each input triple, see Table 2. (It is called “truth table” because it tells whether the complete expression is true (= 1) or false (= 0) depending on the input bits.) The connection between logical calculus and electric circuits essentially goes back to Shannon.

K. Pommerening, Boolean Functions and Boolean Maps x1

x2

@ @

3

x3 R @

@ R @



OR



AND ?

f0 (x1 , x2 , x3 ) Figure 1: Circuit for f0 x1 0 0 0 0 1 1 1 1

x2 0 0 1 1 0 0 1 1

x3 0 1 0 1 0 1 0 1

f0 (x1 , x2 , x3 ) 0 0 0 0 0 1 1 1

Table 2: Truth table for f0

3

The Number of Boolean Functions

The truth table of f0 suggests a simple enumeration of all Boolean functions: For three variables there are 8 = 23 different input triples—each single input bit can assume the values 0 or 1 independently of the other two bits. Furthermore a Boolean function f can assume the values 0 or 1 for each triple independently of the other seven triples. Hence there are 256 = 28 Boolean functions of three variables. The general formula is: n

Theorem 1 There are exactly 22 different Boolean functions of n variables. For four variables this number is 216 = 65536. The number grows superexponentially with n, even the exponent grows exponentially. For a list of all 16 Boolean functions of two variables see Table 3 in Section 7.

K. Pommerening, Boolean Functions and Boolean Maps

4

4

Bitblocks and Boolean functions

For arrangements of bits there are different denotations depending on the context: vector, list, (n-) tuple, . . . For certain special sizes we even have special names such as bytes (for 8 bits), words (for 32 or 64 bits depending on the processor architecture). In this text we prefer the denotation “bitblock” that is common in Cryptography. A bitblock of length n is an ordered list (x1 , . . . , xn ) of bits. There are eight different bitblocks of length 3. Here they are: (0, 0, 0), (0, 0, 1), (0, 1, 0), (0, 1, 1), (1, 0, 0), (1, 0, 1), (1, 1, 0), (1, 1, 1). Sometimes we write them as bitstrings without parantheses or commas: 000, 001, 010, 011, 100, 101, 110, 111, sometimes as columns (n × 1-matrices) when the interpretation as vector is the main aspect. Often we abbreviate (x1 , . . . , xn ) by x. The 2n different bitblocks of length n form the cartesian product Fn2 = F2 × · · · × F2 . This has a “natural” structure as vector space: We can add bitblocks x and y ∈ Fn2 , and multiply them by scalars a ∈ F2 : (x1 , . . . , xn ) + (y1 , . . . , yn ) = (x1 + y1 , . . . , xn + yn ), a · (x1 , . . . , xn ) = (a · x1 , . . . , a · xn ). Here is the mathematically exact definition: Definition A Boolean function of n variables is a map f: Fn2 −→ F2 . We denote the set of all Boolean functions on Fn2 by Fn . By Theorem 1 n it has 22 elements. Convention When we describe a Boolean function by its truth table in general we order it lexicographically for x ∈ Fn2 , as seen in the example above. This order is the natural order of the integers a = 0, . . . , 2n − 1 in binary representation a = x1 · 2n−1 + · · · + xn−1 · 2 + xn corresponding to the bitblocks (x1 , . . . , xn ) ∈ Fn2 .

K. Pommerening, Boolean Functions and Boolean Maps

5

5

Logical Expressions and Conjunctive Normal Form

The mathematical description of Boolean functions—by formulas— essentially follows two ways: • Logic expresses Boolean functions by disjunctions (the operation OR, also written ∨), conjunctions (the operation AND, also written ∧), and negations (the operation NOT, also written ¬). Compositions of these operations are called logical expressions. • Algebra expresses Boolean functions by additions + and multiplications · in the field F2 . Compositions of these operations are called (binary) polynomial expressions. We’ll soon see that both ways lead to a description of all Boolean functions, and that in both cases additional requirements are possible leading to so called normal forms. For cryptologic purposes the algebraic form seems to be somewhat more useful due to its structure (that is yet to explore). On the other hand the logical form leads to an easy implementation in hardware by circuits because the elementary Boolean operations have direct realizations in logic gates. In this text the logical form plays a minor role. Therefore we state the following result without proof. The weaker statement of representability by logical operations (without normalization) will come out as a side result in Section 7, see Theorem 5. Theorem 2 Each Boolean function f of n variables x1 , . . . , xn admits a representation (conjunction) as f (x) = s1 (x) ∧ . . . ∧ sr (x) with a suitable r where the sj (x) for j = 1, . . . , r each have the form (disjunction) sj (x) = tj1 (x) ∨ . . . ∨ tjnj (x) with a certain number nj of terms tjk (x) (j = 1, . . . , r and k = 1, . . . , nj ) that are of the form xi (input bit) or ¬xi (negated input bit) for a suitable index i. In particular nj ≤ n for j = 1, . . . , r. Each individual input bit xi occurs in each of the tjk (x) either directly or negated or not at all. In other words: We can build an arbitrary Boolean function by forming some expressions (the sj (x)) by ORing some of the input bits or negations thereof, and then composing these expressions by AND (“conjunction of disjunctions”). This “normal form” cleanly separates AND- and

K. Pommerening, Boolean Functions and Boolean Maps

6

OR-operations into two layers without further mixing. The defining equation f0 (x1 , x2 , x3 ) = x1 ∧ (x2 ∨ x3 ) of our example f0 from Section 2 is already in “conjunctive” form, but not when written in expanded form f0 (x1 , x2 , x3 ) = (x1 ∧ x2 ) ∨ (x1 ∧ x3 ). This example has no negated input bits. But Table 3 contains some. A Boolean function is in conjunctive normal form (CNF) if it has the form of Theorem 2. This form is not unique. Without further explanation we remark that the CNF may be further refined to a “canonical CNF” that gives some kind of uniqueness. In analogy there is a disjunctive normal form (DNF) (“disjunction of conjunctions”).

6

Polynomial Expressions and Algebraic Normal Form

For (binary) polynomial expressions in the variables x1 , . . . , xn , such as x21 x2 + x2 x3 + x23 , we need as coefficients the constants 0 and 1 only since we operate in the field F2 , and we need not write down these coefficents explicitly. Furthermore we observe that a2 = a for all elements a ∈ F2 (note 02 = 0 and 12 = 1) and so ae = a for all exponents e ≥ 1. This leads to another simplification of binary polynomial expressions: The variables x1 , . . . , xn occur at most with exponent 1. Thus an equivalent expression of our sample polynomial is x1 x2 +x2 x3 +x3 . Another example: x31 x2 +x1 x22 = x1 x2 +x1 x2 = 0. In general a monomial expression (or simply “monomial”) has the form Y xI := xi with a subset I ⊆ {1, . . . , n}, i∈I

in other words, it is the product of some of the variables where the subset I describes the choice of “some of the variables”. An example with n = 3 illustrates this: I = {2, 3} =⇒ xI = x2 x3 , There are exactly 2n of such monomial expressions—as many as subsets we can extract from an n-element set, or form partial products from n potential factors. The empty set corresponds to the product of 0 factors, and this we consider, as common, as being equal to 1. Thus: I = ∅ =⇒ xI = 1. A monomial expression admits a direct interpretation as a Boolean function. We don’t yet know whether these functions are different (but we’ll see it immediately). A polynomial expression is a sum of monomial expressions (as coefficients we only need 0 or 1 because we are in the binary case). Thus the most general

K. Pommerening, Boolean Functions and Boolean Maps

7

(binary) polynomial expression has the form X aI xI I⊆{1,...,n}

where all coefficients aI are 0 or 1. This means that we have to take the sum over a subset of all 2n possible monomial expressions. The number of n possibilities is 22 . The Boolean functions generated by this method are all different, but we have to prove this fact. As a first step we prove that we get all Boolean functions in this way. Theorem 3 Let f : Fn2 −→ F2 be a Boolean function. Then there are coeffizients aI ∈ F2 (hence = 0 oder 1) where I runs through all subsets of {1, . . . , n} such that f can be written as a polynomial expression in n variables of the form: X (2) f (x1 , . . . , xn ) = aI xI . I⊆{1,...,n}

Proof. (Induction on n) Let n = 1. The four possible Boolean functions of a single variable x are the constants 0 and 1, and the non-constants x and 1 + x (= the negation of x). They all have the desired form. Now let n ≥ 1. In the following we abbreviate x0 = (x2 , . . . , xn ) ∈ F2n−1 when x = (x1 , . . . , xn ) ∈ Fn2 . Then x = (x1 , . . . , xn ) may be written as x = (x1 , x0 ). Take a function f ∈ Fn . For an arbitrary fixed value b for the first variable x1 (i. e. b = 0 or 1) we consider the function x0 7→ f (b, x0 ) of the remaining n − 1 variables in x0 . By induction these two functions (for b = 0 as well as for b = 1) have the form f (b, x0 ) = pb (x0 )

for all x0 ∈ F2n−1

where p0 , p1 are polynomial expressions in x0 of the required form. Therefore ( p0 (x0 ), if x1 = 0, f (x1 , x0 ) = for all x = (x1 , x0 ) ∈ Fn2 , p1 (x0 ), if x1 = 1, since x1 can only assume the values 0 or 1. Write this as (3)

f (x1 , x0 ) = (1 + x1 )p0 (x0 ) + x1 p1 (x0 )

for all x ∈ Fn2 ,

to get a polynomial expression in x. Expand this and remove monomials that occur twice, since these cancel out. 3 The second column of Table 3 illustrates the mathematically compact statement of this theorem. Note that the variables in the table are denoted

K. Pommerening, Boolean Functions and Boolean Maps

8

by x and y instead of x1 and x2 , and the coefficients by a, b, c, d instead of a∅ , a{1} , a{2} , a{1,2} . Each row of the table describes a Boolean function of two variables as sum of those terms 1, x, y, xy that have coefficient 1 in the representation of Equation (2), suppressing terms with coefficients 0. The representation of a Boolean function as polynomial expression given by Theorem 3 is called the algebraic normal form (ANF). Note that it n is unique: Since there are 22 polynomial expressions, and these represent n all the 22 different Boolean functions, first all these polynomial expressions must be different as functions, secondly the representation of a Boolean function as a polynomial expression in ANF must be unique. We have shown: Theorem 4 The representation of a Boolean function in algebraic normal form is unique. Definition The degree of a Boolean function f ∈ Fn as polynomial expression in algebraic normal form, deg f = max{#I | aI 6= 0}, is called the (algebraic) degree of f . It is always ≤ n. The degree is the maximum number of variables that occur in a monomial of the ANF. Example The Boolean function given by x 7→ x1 x2 +x2 x3 +x3 has degree 2. Remark A high degree of a Boolean function is not caused by high powers of variables but “only” by products of different variables. Each single variable occurs at most in the first power in each monomial of the ANF. In other words all partial degrees—that are the degrees in the single variables xi without accounting for the remaining variablen—are ≤ 1.

7

Boolean Functions of Two Variables

The 24 = 16 Boolean functions of two variables x and y are listed in Table 3. The table contains the polynomial expressions in algebraic normal form a + bx + cy + dxy as well as logical expressions in conjunctive form. As we saw already each Boolean function in any number of variables has a polynomial expression. To prove the existence of a logical expression we only have to show that the algebraic operations + and · can be expressed by the logical operations ∨, ∧, ¬. This is evident from the corresponding rows of Table 3. This shows (a weak form of the here unproven Theorem 2): Theorem 5 Each Boolean function admits a logical expression, i. e. may be defined by a formula in the logical operations ∨, ∧, ¬.

K. Pommerening, Boolean Functions and Boolean Maps a 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1

b 0 0 1 1 0 0 1 1 0 0 1 1 0 0 1 1

c 0 0 0 0 1 1 1 1 0 0 0 0 1 1 1 1

d 0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1

ANF 0 1 x 1+x y 1+y x+y 1+x+y xy 1 + xy x + xy 1 + x + xy y + xy 1 + y + xy x + y + xy 1 + x + y + xy

logical operation False constant True constant x projection ¬x y projection ¬y x XOR y XOR x ⇐⇒ y equivalence x∧y AND ¬(x ∧ y) NAND x ∧ (¬y) x =⇒ y implication (¬x) ∧ y x ⇐= y x∨y OR ¬(x ∨ y) NOR

9 CNF x ∧ ¬x x ∨ ¬x x ¬x y ¬y (x ∨ y) ∧ (¬x ∨ ¬y) (x ∨ ¬y) ∧ (¬x ∨ y) x∧y (¬x) ∨ (¬y) x ∧ (¬y) (¬x) ∨ y (¬x) ∧ y x ∨ (¬y) x∨y (¬x) ∧ (¬y)

Table 3: The 16 operations on two bits (= Boolean functions of 2 variables) Hint The logical negation ¬ corresponds to the addition of 1 in the algebraic interpretation. Remark In analogy we may write the ANF of a Boolean function of three variables x, y, z in the form (x, y, z) 7→ a + bx + cy + dz + exy + f xz + gyz + hxyz. This involves 8 coefficients a, . . . , h, and fits the observation that there 3 are 22 = 28 = 256 such functions. Example What does the ANF of the function f0 from Section 2 look like (here written as f0 (x, y, z) = x ∧ (y ∨ z) using the variables x, y, z)? By Table 3 we have y ∨ z = y + z + yz, whereas the AND operation ∧ simply is the product in the field F2 . Hence f0 (x, y, z) = x · (y + z + yz) = xy + xz + xyz. By the way this shows that f0 has degree 3.

8

Boolean Maps

Most cryptographic applications involve processes that produce several bits at once, not only a single one. An abstract description uses the concept of

K. Pommerening, Boolean Functions and Boolean Maps

10

a Boolean map, that is a map f : Fn2 −→ Fq2 with natural numbers n and q, illustrated by the following figure n input bits ... XgXXXXXXXXXX ... q output bits Note that the conceptual differentiation between “function” and “map” is somewhat arbitrary. We follow a common usage in Mathematics for expressing the property that the range is one- or multidimensional where “map” is the superordinate concept. The images of f are bitblocks of length q. If we decompose them into their components f (x) = (f1 (x), . . . , fq (x)) ∈ Fq2 , then we see that a Boolean map to Fq2 in a canonical way simply is a q-tuple of Boolean functions f1 , . . . , fq : Fn2 −→ F2 . Definition The (algebraic) degree of a Boolean map f: Fn2 −→ Fq2 is the maximum of the algebraic degrees of its components, deg f = max{deg fi | i = 1, . . . , q}. Theorem 6 Each Boolean map f : Fn2 −→ Fq2 has a unique representation in the form X f (x1 , . . . , xn ) = xI aI I⊆{1,...,n}

with aI ∈

Fq2

and monomials xI as in Theorem 3.

Like for functions this representation of a Boolean map is called algebraic normal form. It arises by combining the algebraic normal forms of the component functions f1 , . . . , fq . Compared with Theorem 3 the xI and aI changed their positions for by convention usually the “scalars” (the xI ∈ F2 ) precede the “vectors” (the aI ∈ Fq2 ). The aI simply are the combinations of the corresponding coefficients of the component functions.

K. Pommerening, Boolean Functions and Boolean Maps

11

Example Consider the Boolean map g : F32 −→ F22 defined by the following pair of logical expressions in three variables x, y, z:   x ∧ (y ∨ z) g(x, y, z) := x∧z where we write the components below each other, that is, in a column. In the first component we recognize the function f0 , in the second one the product x · z. Thus the ANF of g is         xy + xz + xyz 1 1 1 g(x, y, z) = = xy · = xz · = xyz · . xz 0 1 0 The algebraic degree is 3, and the value table is in Table 4. In the table we write the values g(x, y, z) ∈ F22 of g as bitstrings of length 2—the different notations of bitblocks, sometimes as column vectors, sometimes as bitstrings are chosen by convenience and are considered as equivalent. x 0 0 0 0 1 1 1 1

y 0 0 1 1 0 0 1 1

z 0 1 0 1 0 1 0 1

g(x, y, z) 00 00 00 00 00 11 10 11

Table 4: The value table of a Boolean map

9

Linear Forms and Linear Maps

A Boolean function f : Fn2 −→ F2 is called a linear form, if it has degree 1 and absolute term 0. This means that the algebraic normal form contains only linear terms, thus it has the form f (x) =

n X

si xi

for all x = (x1 , . . . , xn ) ∈ Fn2

i=1

where si ∈ F2 for i = 1, . . . , n. Since the si can only be 0 or 1 a linear form is a partial sum X αI (x) = xi for all x = (x1 , . . . , xn ) ∈ Fn2 i∈I

K. Pommerening, Boolean Functions and Boolean Maps

12

over a subset I ⊆ {1, . . . , n} of the set of all indices, namely I = {i | si = 1}. We immediately conclude that there are exactly 2n Boolean linear forms in n variables, and they correspond to the power set P({1, . . . , n}) in a natural way. Other common notations are (for I = {i1 , . . . , ir }): αI (x) = x[I] = x[i1 , . . . , ir ] = xi1 + · · · + xir . The following theorem connects linear forms with the usual notation of Linear Algebra: Theorem 7 A Boolean function f: Fn2 −→ F2 is a linear form if and only if the following two conditions hold: (i) f (x + y) = f (x) + f (y) for all x, y ∈ Fn2 . (ii) f (ax) = af (x) for all a ∈ F2 and x ∈ Fn2 . Proof. For each linear form the conditions hold as immediately seen by the representation as partial sum. For the reverse direction let f be a Boolean function that fulfills (i) and (ii). Let e1 = (1, 0, . . . , 0), . . . , en = (0, . . . , 1) be the “canonical unit vectors”. Then each x = (x1 , . . . , xn ) ∈ Fn2 is a sum x = x1 e1 + · · · + xn en . From this we get f (x) = f (x1 e1 ) + · · · + f (xn en ) = x1 f (e1 ) + · · · + xn f (en ), a partial sum of the xi for which the constant value f (ei ) is not 0, hence 1. Thus f is a linear form in the sense of our definition. 3 A Boolean map f : Fn2 −→ Fq2 is called linear if all of its component functions f1 , . . . , fq are linear forms. As in the case q = 1 we see: Theorem 8 A Boolean map f : Fn2 −→ Fq2 is linear if and only if the following two conditions hold: (i) f (x + y) = f (x) + f (y) for all x, y ∈ Fn2 . (ii) f (ax) = af (x) for all a ∈ F2 and x ∈ Fn2 . Theorem 9 A Boolean map f: Fn2 −→ Fq2 is linear if and only if it has the form n X f (x) = xi s i i=1

with si ∈

Fq2 .

K. Pommerening, Boolean Functions and Boolean Maps

13

A Boolean map is called affine if its algebraic degree is ≤ 1 or, equivalently, if it is the sum of a linear map and a constant. In the case q = 1, for functions, the only constants are 0 and 1. Adding the constant 1 is the same as the logical negation that “toggles” the bits. In other words: The affine Boolean functions are the linear forms and their negations.

10

Systems of Boolean Linear Equations

Algebra over the field F2 is quite easy. Many complications known from other mathematical domains break down. This is the case for the solution of systems of linear equations, systems of the form a11 x1 .. .

+ ···

am1 x1 + · · ·

+

a1n xn .. .

=

b1 .. .

+ amn xn = bm

where aij and bi ∈ F2 are given and the xj are the unknowns to be solved for. In matrix notation the equations become Ax = b where x and b are column vectors, that is (n × 1)- or (m × 1)-matrices.

Systems of Linear Equations in Sage As a link with “ordinary” Linear Algebra we consider an example over the rational numbers Q, the system x1 + 2x2 + 3x3 = 0 3x1 + 2x2 + x3 = −4 x1 + x2 + x3 = −1 This is treated by Sage Example 1. The single  1 1. Define the “coefficient matrix” A = 3 1

steps are:  2 3 2 1. 1 1

2. Define the “image vector” b = (0, −4, 1). 3. Let Sage find a “solution vector” x.—Having written the left-hand side of the system as matrix product Ax we have to apply the method solve right().

K. Pommerening, Boolean Functions and Boolean Maps

14

4. The system could have other solutions. We find these by solving the corresponding “homogeneous” system Az = 0. If z is a solution of the homogeneous system, then A · (x + z) = Ax + Az = b + 0 = b, hence x + z is another solution of the original (“inhomogeneous”) system. In this way we get all solutions: For if Ax = b and Ay = b, then A · (y − x) = 0, hence the difference y − x is a solution of the homogeneous system. The Sage method right kernel() determines all solutions of the homogeneous system. 5. The output of right kernel() is somewhat cryptic. It says that all solutions of the homogeneous system are multiples of the vector z = (1, −2, 1). (Since all coefficients are integers Sage considers the system as defined over Z (= Integer Ring).) 6. Finally we verify that y = x − 4z really is a solution, i. e. Ay = b. In the general case (over an arbitrary field) the solution of a system of linear equations is constructed by Gaussian elimination. The Sage method solve right() also uses this algorithm. sage: A = Matrix([[1,2,3],[3,2,1],[1,1,1]]) sage: b = vector([0,-4,-1]) sage: x = A.solve_right(b); x (-2, 1, 0) sage: K = A.right_kernel(); K Free module of degree 3 and rank 1 over Integer Ring Echelon basis matrix: [ 1 -2 1] sage: y = x - 4*vector([1,-2,1]); y (-6, 9, -4) sage: A*y (0, -4, -1) Sage Example 1: Solution of a system of linear equations over Q

Systems of Linear Equations in the Boolean Case In the Boolean case (over the field F2 ) the solution by Gaussian elimination is extremely simple since the only coefficients are 0 and 1, and multiplications or divisions are completely obsolete. There are no complicated coefficients (like fractions over Q) or inexact coefficients (like floating point numbers). So simple is the method that even for six unknowns the solution by “pencil and paper” is faster then writing the corresponding program in Sage. Here is an illustrative example.

K. Pommerening, Boolean Functions and Boolean Maps

15

The basic idea of elimination is reducing to a system with only n − 1 unknowns by “elimination” of one unknown. 1. case: All coefficients ain = 0 for i = 1, . . . , m, that is xn doesn’t occur at all. Then the system is already reduced. 2. case: xn has coefficient 1 in one of the equations. Then we solve this equation for xn : xn = ai1 x1 + · · · ai,n−1 xn−1 + bi , and substitute the resulting term for xn in the other m − 1 equations. These then only contain the unknowns x1 , . . . , xn−1 . (If xn occurs in more then one equation it doesn’t matter which one we choose—in contrast to the situation over other fields where finding an optimal “pivot element” is an essential part of the algorithm.) We continue this approach recursively until only one unknown or one equation is left (whatever happens first). Now a concrete example.

Example x1 x1 x1

+x3 +x2 +x4 x2 +x3 +x5 +x4 +x5 x2 +x4 +x5

+x6 = 1 +x6 = 0 +x6 = 0 = 1 = 1

The first equation yields x6 = x1 + x3 + 1. The remaining system from equations 2 to 5 after elimination is (using x1 + x1 = 0 etc.): x1 x1

x2 +x3 +x4 +x2 +x5 +x4 +x5 x2 +x4 +x5

= = = =

1 1 1 1

We solve the second equation of the remaining system for x5 = x1 + x2 + 1 and substitute, getting

x1

x2 +x3 +x4 = 1 x2 +x4 = 0 +x4 = 0

The last two equations yield x4 = x2 = x1 , and the first one then gives x3 = 1. Now we have the complete solution: x1 = x2 = x4 = x6 = a

with arbitrary a ∈ F2 ,

x3 = 1,

x5 = 1.

Since a may assume the values 0 or 1 there are exactly two solutions: (0, 0, 1, 0, 1, 0) and (1, 1, 1, 1, 1, 1).

K. Pommerening, Boolean Functions and Boolean Maps

16

The Example in Sage Sage code for this example is in Sage Example 2. The Sage method solve right() gives only the one solution (0, 0, 1, 0, 1, 0). To get all solutions we have to solve the homogeneous system: Its solutions are the multiples of the vector (1, 1, 0, 1, 0, 1), hence the two vectors (0, 0, 0, 0, 0, 0) and (1, 1, 0, 1, 0, 1). Thus the second solution of the original system is (0, 0, 1, 0, 1, 0) + (1, 1, 0, 1, 0, 1) = (1, 1, 1, 1, 1, 1). sage: M = MatrixSpace(GF(2), 5, 6) # GF(2) = field with two elements sage: A = M([[1,0,1,0,0,1],[1,1,0,1,0,1],[0,1,1,0,1,1],[1,0,0,1,1,0],\ [0,1,0,1,1,0]]); A [1 0 1 0 0 1] [1 1 0 1 0 1] [0 1 1 0 1 1] [1 0 0 1 1 0] [0 1 0 1 1 0] sage: b = vector(GF(2),[1,0,0,1,1]) sage: x = A.solve_right(b); x (0, 0, 1, 0, 1, 0) sage: K = A.right_kernel(); K Vector space of degree 6 and dimension 1 over Finite Field of size 2 Basis matrix: [1 1 0 1 0 1] Sage Example 2: Solution of a system of Boolean linear equations

Cost Estimate What about the costs for a solution of a system of Boolean linear equations? Consider m equations for n unknowns. The matrix A of coefficients has size m × n, the extended matrix (A, b) has size m × (n + 1). Since we only want a coarse estimate we don’t bother about optimizations, and assume that m = n. In the case of m > n we ignore surplus equations (at the end one has to check whether the found solutions fulfill the additional equations). In the case m < n we add “null equations” (of type 0 · x1 + · · · + 0 · xn = 0). The elimination step, the reduction of the problem size from n to n − 1, needs one run through all the n columns of the extended matrix: • At first in column n, that contains the coefficients of xn , we search the first entry 1. This takes at most n bit comparisions. • Then the row we found (with the first entry 1 in column n) is added to all rows below it that also contain a 1 in column n. This costs one bit

K. Pommerening, Boolean Functions and Boolean Maps

17

comparision and at most n bit addition for each row—we may omit the n-th entry because we know there will be a 0. On the whole we need n bit comparisons and at most n·(n−1) bit additions, a total of at most n2 bit operations. Let us denote the number of needed bit operations for the complete solution of the system by N (n). Then we have the inequality: N (n) ≤ n2 + N (n − 1)

for all n ≥ 2.

Clearly N (1) = 1: We check the one coefficient of the one unknown whether it is 0 or 1 and decide whether the equation has a unique solution (coefficient 1), or whether it is fulfilled for no or for arbitrary values of the unknown (coefficient 0, right-hand side b = 1 or 0). Then we conclude N (2) ≤ 22 + 1, N (3) ≤ 32 + 22 + 1 etc. By induction we immediately get n X N (n) ≤ i2 . i=1

The value of this sum is explicitly known, and we have shown: Theorem 10 The number N (n) of bit comparisons and bit additions needed for the solution of a system of n binary linear equations with n unknowns has the upper bound N (n) ≤

1 · n · (n + 1) · (2n + 1). 6

A slightly coarser statement is that the cost is O(n3 ). In any case it is “polynomial of small degree” in the size n of the problem. Note that the asymptotic complexity over F2 is not smaller than over any other field, although the single steps are much cheaper.

11

The Representation of Boolean Functions and Maps

Some Interpretations of Bitblocks We used bitblocks b = (b1 , . . . , bn ) ∈ Fn2 to represent different objects. A bitblock can stand for: • a vector b ∈ Fn2 (that is itself as a bitblock, written as row or as column), • the argument of a Boolean function or map, for example as the row key in a value table (or truth table),

K. Pommerening, Boolean Functions and Boolean Maps

18

• a bitstring of length n, • a subset I ⊆ {1, . . . , n} that is defined by the indicator b via the equivalence i ∈ I ⇔ bi = 1, • a linear form on Fn2 , expressed as sum of the variables xi for which bi = 1, • a monomial in n variables x1 , . . . , xn with all partial degrees ≤ 1; here bi is the exponent 0 or 1 of the variable xi , • an integer between 0 and 2n − 1 in binary representation; the sequence of the binary “digits” (= bits) is identical with the corresponding bitstring. Conversely the integer is the index (starting with 0) of the bitstring if the bitstrings are ordered alphabetically in increasing order. Of course there could be yet other interpretations—each information eventually has a binary encoding. The bitblocks for n = 3 are listed in Table 5. Some conversion routines are in Sage Example 12.1 (part of the module Bitblock.sage). Integer 0 1 2 3 4 5 6 7

Bitstring 000 001 010 011 100 101 110 111

Subset ∅ {3} {2} {2, 3} {1} {1, 3} {1, 2} {1, 2, 3}

Linear form 0 x3 x2 x2 + x3 x1 x1 + x3 x1 + x2 x1 + x2 + x3

Monomial 1 x3 x2 x2 x3 x1 x1 x3 x1 x2 x1 x2 x3

Table 5: Interpretations of bitblocks of length 3

Representation of the Truth Table of a Boolean Function The interpretation of bitblocks as integers in binary representation leads to an economical representation of the truth table of a Boolean function f : Fn2 −→ F as bitblock b = (b0 , . . . , b2n −1 ) of length 2n : f (x) = bi(x) ,

where i(x) = x1 · 2n−1 + · · · + xn−1 · 2 + xn for

x = (x1 , . . . , xn ) ∈ Fn2 .

At first sight this looks complicated, however it simply means: “Interpret x as the binary representation of an integer i(x), look at the bitblock b, and

K. Pommerening, Boolean Functions and Boolean Maps

19

pick up the bit at position i(x)”. This correspondence is illustrated by an additional column in the truth table, Table 2, of the function f0 , see the extended Table 6. x1 0 0 0 0 1 1 1 1

x2 0 0 1 1 0 0 1 1

x3 0 1 0 1 0 1 0 1

i(x) 0 1 2 3 4 5 6 7

f0 (x1 , x2 , x3 ) 0 0 0 0 0 1 1 1

Table 6: An extended truth table Thus for example the truth table of f0 is simply given by the bitblock (0, 0, 0, 0, 0, 1, 1, 1), or even more economically by the bitstring 00000111 of length 23 = 8.

Representation of the Algebraic Normal Form For the description of the algebraic normal form (ANF) also 2n bits suffice: the coefficients of the 2n different monomials. The monomials also are in the list of interpretations of bitblocks, see Table 5. Using this we may interpret a bitblock a = (a0 , . . . , a2n −1 ) as representation of the ANF of a Boolean function f : Fn2 −→ F in the following way: f (x) =

n −1 2X

e (i)

ai x11

· · · xnen (i)

where i = e1 (i) · 2n−1 + · · · + en (i)

i=0

with

e1 (i), . . . , en (i) = 0 or 1.

Expressed in words this means: “Interpret the n-tuple e of exponents of a monomial as the binary representation of an integer i. Look at position i in the bitblock a whether this monomial occurs in the ANF of f or not.” For the example f0 we already saw that the ANF is f0 (x) = x1 x3 + x1 x2 + x1 x2 x3 , the sum of the monomials with exponent triples 101, 110, 111, corresponding to the integers 5, 6, 7. Thus the economical representation of the ANF by a bitstring is 00000111.

K. Pommerening, Boolean Functions and Boolean Maps

20

Caution! This is the same bitstring as for the truth table by accident—a special property of the function f0 ! The function f (x1 , x2 ) = x1 has the truth table 0011 and the ANF 0010. For determining the ANF from the truth table in the general case we use the Sage module boolF.sage, see Section 12. This transformation that transforms a bitstring of length 2n (the truth table) into another bitstring of length 2n (the list of coefficients of the ANF) is sometimes called the ReedMuller transformation or the binary Moebius transformation. Its application to f0 is demonstrated in Sage Example 3. sage: attach(’Bitblock.sage’) sage: attach(’boolF.sage’) sage: bits = "00000111" sage: x = str2bbl(bits); x [0, 0, 0, 0, 0, 1, 1, 1] sage: f = BoolF(x) sage: y = f.getTT(); y [0, 0, 0, 0, 0, 1, 1, 1] sage: z = f.getANF(); z [0, 0, 0, 0, 0, 1, 1, 1] Sage Example 3: A Boolean function with truth table and ANF Remark Naively evaluating a Boolean function f for all arguments x ∈ Fn2 costs 2n evaluations f (x) each with at most 2n summands with at most n − 1 multiplicatios. Therefore the total cost is about n · 2n · 2n . If we relate the cost to the size of the input—that is N = 2n — we get the quasi-quadratic cost function N 2 · log2 (N ). As is often the case also here a binary recursion—dividing the problem into two partial problems of half the size—leads to a significantly more efficient algorithm. The starting point is Equation (3). The end effect is the quasi-linear cost 3N · log2 N . This algorithm (also called fast binary Moebius transformation) is implemented in the module boolF.sage, see Section 12.2.

Objekt Oriented Implementation An implementation of Boolean functions in Sage (or Python) is given in Section 12.2 (module boolF.sage). Sage itself has a class sage.crypto.boolean function that contains many of the needed methods, but not the fast Moebius transformation. Our implementation is independent.

K. Pommerening, Boolean Functions and Boolean Maps

21

In general in the object oriented paradigma one defines a class as an abstraction of the structure of an object “Boolean function”: Class BoolF: Attributes: • blist: truth table as a list of bits (= bitblock in the “natural” order); we use this as the internal representation of the Boolean function. • dim: the dimension of the domain Methods: • setTT: fill the truth table with a bitblock (“TT” for Truth Table) • setANF: read the ANF and internally transform it to a truth table • setDim: read the dimension of the domain • getTT: return the truth table as a bitblock • value: return the value of the Boolean function for a given argument • getDim: return the dimension of the domain • getANF: return the algebraic normal form (ANF) as bitblock (in the “natural” order) • deg: return the algebraic degree The first three of these, the “set methods”, are only implicitly needed during initialization. For a “human readable” output we additionally define the methods printTT and printANF. Functions for transforming bitlists into integers or bitstrings, or vice versa, are in the module Bitblock.sage. The implementation of Boolean maps builds on functions: Define a class BoolM as a list of objects of the class BoolF with (at least) the analogous methods.

K. Pommerening, Boolean Functions and Boolean Maps

12 12.1

22

Appendix: Boolean Maps in Sage Conversion of Bitblocks

def int2bbl(number,dim): """Converts number to bitblock of length dim via base-2 representation.""" n = number b = [] for i in range(0,dim): bit = n % 2 b = [bit] + b n = (n - bit)//2 return b def bbl2int(bbl): """Converts bitblock to number via base-2 representation.""" ll = len(bbl) nn = 0 for i in range(0,ll): nn = nn + bbl[i]*(2**(ll-1-i)) return nn def str2bbl(bitstr): """Converts bitstring to bitblock.""" ll = len(bitstr) xbl = [] for k in range(0,ll): xbl.append(int(bitstr[k])) return xbl def bbl2str(bbl): """Converts bitblock to bitstring.""" bitstr = "" for i in range(0,len(bbl)): bitstr += str(bbl[i]) return bitstr Sage Example 4: Conversion of bitblocks (in Bitblock.sage)

K. Pommerening, Boolean Functions and Boolean Maps

12.2

23

Class for Boolean Functions

class BoolF(object): """Boolean function Attribute: a list of bits describing the truth table of the function Attribute: the dimension of the domain""" __max = 4096

# max dim = 12

def __init__(self,blist,method="TT"): """Initializes a Booelan function with a truth table or by its algebraic normal form if method is ANF.""" ll = len(blist) assert ll max: max = wt return max Sage Example 6: Boolean functions—continued

K. Pommerening, Boolean Functions and Boolean Maps

25

def printTT(self): """Prints truth table to stdout.""" for i in range(0,2**(self.__dim)): bb = int2bbl(i,self.__dim) print "Value at " + bbl2str(bb) + " is " + repr(self.__tlist[i]) def printANF(self): """Prints algebraic normal form to stdout.""" y = self.__convert(self.__tlist) for i in range(0,2**(self.__dim)): monom = int2bbl(i,self.__dim) print "Coefficient at " + bbl2str(monom) + " is " + repr(y[i]) Sage Example 7: Boolean functions—human readable output

K. Pommerening, Boolean Functions and Boolean Maps

12.3

26

Class for Boolean Maps

class BoolMap(object): """Boolean map Attribute: a list of Boolean functions Attribute: the dimensions of domain and range""" __max = 8

# max dim = 8

def __init__(self,flist): """Initializes a Boolean map with a list of Boolean functions.""" qq = len(flist) assert qq